Hacking Into an iPhone is Not as Hard as You Think

Apple has made it clear that it intends to fight the FBI’s demands for a backdoor into the iPhone all the way to the Supreme Court. That makes sense, given that privacy is both a principle and a product for the company behind the world’s most recognizable smartphone. Apple and other companies are facing increasing demands from the government to build backdoor access into their devices, and they’re fighting those demands to protect the security of their platforms.

But as Min Pyo Hong of app security company SEWORKS reports for TechCrunch, there’s another motivation at play in Apple’s resistance to the FBI’s demands — one that Apple doesn’t want to talk about. And that’s the fact that the iPhone is already vulnerable to hackers. To be clear, it’s not just Apple’s iPhone that’s vulnerable. (Android smartphones and devices powered by other platforms are, too.) But as Hong notes, the iPhone already has backdoors that Apple hasn’t yet closed.

Though he can’t publicly share the details of the vulnerability, Hong reports “at least one instance where black hat hackers have been able to extract data from an iPhone with a recent OS by directly accessing it through critical flaws that enable a backdoor into, and data extraction from, a designated device.” The breach was uncovered by a member of the hacker community, and while Hong is unable to confirm whether this hacking method would work on an iPhone running the latest version of iOS, iPhone users should still take note.

As suggested by a recent case in New York, in which Apple extracted data similar to an iPhone backup from an iPhone that was running an older version of iOS, anyone who’s determined enough can find a way around the iPhone’s protections. Hong suggests that “hackers are bound to find workarounds to backdoor the latest version, too,” and notes that “this is just one potential backdoor among many.” Hackers find iPhone vulnerabilities and sell them to the highest bidder, or keep them in reserve “to use as a potential cyber weapon against Apple down the road.”

Such exploits enable hackers to quietly connect to an iPhone without the user’s knowledge to extract data from it, control it remotely, or even spy on what the user is doing. Hong reports that while Apple says that creating a backdoor for the FBI would “put iPhone owners on a slippery slope of security intrusions,” it’s actually “more accurate to say that the iPhone has been careening down that slope for quite some time.”

While the FBI has made an official request for backdoor access into the iPhone, hackers and foreign governments have been working to create unauthorized backdoors of their own, usually without Apple’s knowledge, in order to access documents of officials in rival governments. If Apple creates a backdoor for the FBI, that would assist the efforts of these hackers and governments, who will eventually discover a way in to the backdoor that Apple creates.

Hong explains that while a majority of Americans assume that the government’s demand for a backdoor is a reasonable request, one that would make us safer from terrorist attacks, they don’t understand how insecure their devices already are. “A system is only as secure as its most vulnerable link, and becomes geometrically less secure with each additional vulnerability,” he writes. “It is a final irony that the FBI has inadvertently exposed the U.S. tech industry’s Achilles’ heel — and threatens to make our devices even more vulnerable to those who wish to do us harm.”

It’s a long-running misconception about Apple that the iPhone is immune to malware or impenetrable to hackers because Apple has extensive control over iOS. That’s simply untrue. With minimal effort, you can easily uncover entire databases of security vulnerabilities that affect iOS, some that are minor or affect only older versions of Apple software, but many that could potentially enable hackers to execute code or cause a denial of service, or ones that affect the latest versions of Apple’s mobile operating system or its key apps.

Those vulnerabilities may not have led to a breach or a hack just yet, but that doesn’t mean that they don’t affect the security of the iPhone. If exploited, these vulnerabilities could enable hackers to figure out how to access your data, spy on your activities, or even control your iPhone. While iOS certainly isn’t alone in having numerous vulnerabilities that are cataloged and just waiting to be exploited, it’s unique in that people think that it’s impervious to hackers when, in reality, hackers have probably already identified numerous ways into the iPhone.

As Walt Mossberg reported recently for The Verge, it’s not just the software that runs directly on the iPhone that can put your privacy at risk. There’s a big loophole in Apple’s privacy and encryption: its iCloud service and iCloud backup. While Apple can’t decrypt what’s on an iPhone itself, Apple can decrypt most of what’s in an iCloud backup, and occasionally turns over the contents of iCloud backups to the FBI and other law enforcement agencies. And if you use other companies’ cloud services on your iPhone, anything you store with them can either be unencrypted, or subject to decryption by keys that the provider holds.

Additionally, all cloud services are vulnerable to exploits like phishing attacks, password-reset tricks, as well as major hacks and attacks. Mossberg notes that too few people use two-factor authentication, which is offered by Apple and many other service providers, to boost security. Mossberg reports that Apple treats the security of an iPhone differently from the security of iCloud because the iPhone is an object that can be lost or stolen. But in the case of iCloud, Apple opts to preserve the ability to help a user restore his or her data. That’s by design, but thinking about it should make it clear that your iPhone probably isn’t quite as secure as you assume.